Re: SNMPv3 context configuration on "older" Switches

HUBERT RESCH · ‎02-07-2011

Hi on our switches we are to configure SNMPv3 and a User for LMS.

Because we are using User-Tracking we need to configure the context.

This is possible to configure it just with "vlan-" and the match prefix statement.

So all possible VLANs on the switch are included.

snmp-server group LMS_GROUP v3 priv read readlms write writelms notify notifylms access SNMP_ACL

snmp-server group LMS_GROUP v3 auth context vlan- match prefix read readlms write writelms notify notifylms access SNMPV3_ACL

snmp-server view readlms iso included

snmp-server view writelms iso included

snmp-server view notifylms iso included

ip access-list standard SNMPV3_ACL

permit x.x.x.x

permit y.y.y.y

snmp-server user lmsuser LMS_GROUP v3 auth md5 lmsauthpw priv aes 256 lmsencryptpw

Switch#sh snmp context
vlan-1
vlan-2
vlan-10
vlan-11
vlan-70
vlan-71
vlan-72
vlan-73
vlan-74
vlan-90
vlan-91
vlan-95
vlan-98
vlan-99
vlan-101
vlan-102
vlan-103
vlan-104
vlan-105
vlan-107
vlan-108
vlan-109
vlan-110
vlan-111
vlan-112
vlan-113
vlan-114
vlan-115
vlan-123
vlan-174
vlan-197
vlan-198
vlan-199

this works fine.

Bad thing is that we have also a lot of 3550-switches in the field. The latest IOS-Version which is out for 3550 is 122-44.SE6, which does not support this "match prefix" statement.

That means that we have to configure

snmp-server group LMS_GROUP v3 auth context vlan-1 read readlms write writelms notify notifylms access SNMPV3_ACL

...

snmp-server group LMS_GROUP v3 auth context vlan-199 read readlms write writelms notify notifylms access SNMPV3_ACL

so the SNMPv3 config is not easy automatically to rollout.

Is there another option without configuring context statement for every VLAN ?

Thx

Hubert

Joe Clarke · ‎02-07-2011

I wrote a Tcl script to facilitate configuring multiple SNMP contexts on devices. You should have the tclsh on these 3500s. Try running this script as:

tclsh snmp-context.tcl -p -g GROUP -l LEVEL vlan-

Where GROUP is your SNMPv3 group and LEVEL is your SNMPv3 security level (i.e. auth or priv).

HUBERT RESCH · ‎02-07-2011

Thx , I ll try the script

KR

Hubert

Michel Hegeraat · ‎02-08-2011

Interesting but disturbing.

I asumed all this would be dynamic.

Campus find outs out what vlans are on the box and does what is required to obtain the mac table of each vlan.

So if I understand correct this is not the case?

I have customers where vlans get created and deleted quite rapidly

So the snmp content there needs to be adjusted all the time?

Is there a document that describes in some detail what needs to be done on the various IOS versions?

Cheers,

Michel

Joe Clarke · ‎02-08-2011

The problem described here is a matter of access vs. data collection. Campus does dynamically detect VLANs on the device, but unless it is given access to query those VLAN contexts, it will not be able to retrieve such per-VLAN data as spanning tree and CAM tables.

Prior to SNMPv3, Cisco used a community string indexing hack to make legacy MIBs aware of different instances. SNMPv3 provides the context as a well-defined mechanism to have the same MIB implemented multiple times within a manager. If you need to use SNMPv3 on your devices, you must configure your SNMP group with all of the VLAN contexts to be polled. This is documented in the Campus Manager/LMS online help.

Michel Hegeraat · ‎02-08-2011

Thanks Joe,

I searched on SNMP V3 user tracking in LMS 4 without any result.

On CCO I found a document that mentions this context.keyword in conjuction with user tracking..

I have a few C2950's that now give me just the default vlan in UT.

It appears not to know the context keyword. Its a v12.1 IOS but it supports snmp v3.

I doubt to find much 12.1 IOS at customers that want snmp v3 though.

So each vlan added requires an edit of the SNMP context, otherwise user tracking silently fails for that vlan?

There are some downsides to using SNMP v3. But your script can help there

Cheers,

Michel

Joe Clarke · ‎02-08-2011

It looks like they pulled this section of the online help in LMS 4.0. I can find it in 3.2.

You are right, the 2950s do not support contexts, and thus cannot work properly in UT. This is a known issue, and I wrote code so that LMS will fallback to SNMPv2c (if community strings exist) for these switches. Context support requires varying versions of 12.2, so the 2950s will never support them.

If a VLAN context is not configured, then UT will skip those VLANs. A timeout error will be printed in the ut.log.

Michel Hegeraat · ‎02-09-2011

Thanks again Joe,

All this is not documented clearly enough for simple folks like myself

Is it possible to configure an snmp context for vlans that are not present on the device?

I.O.W. Can I push a single "ad hoc" job to all devices so that a context exists for all vlans in the domain?

Or do I need to find out what vlan is present and configure a context based on that per device?

Cheers,

Michel

Joe Clarke · ‎02-09-2011

Yes, you can configure contexts for VLANs that do not [yet] exist on the device.

Michel Hegeraat · ‎02-09-2011

Thanks Joe,